
On 15 July 2026, Microsoft released the largest Patch Tuesday ever: over 570 vulnerabilities, including two zero-days being actively exploited in the wild. AD FS and SharePoint Server are at the centre. What is happening, which systems are urgent, and how do you handle the patch rollout?
On 15 July 2026, Microsoft released the largest Patch Tuesday on record. With over 570 vulnerabilities, this update surpasses all previous editions. Among the fixes are three zero-days, two of which are already being actively exploited by attackers. The US government agency CISA has issued tight deadlines for federal organisations, but the urgency applies equally to any IT team managing Active Directory Federation Services or SharePoint Server on-premises.
This article gives you a clear picture of which vulnerabilities are at the centre, what the risks are, and how to deploy the patches as quickly and controlled as possible.
The July 2026 monthly Microsoft security update addresses between 570 and 622 individual vulnerabilities depending on the counting method used. That is the largest number Microsoft has ever released in a single round. For comparison, an average Patch Tuesday covers between 60 and 120 items. The jump to this volume partly reflects a changed counting methodology where dependent packages are more often listed separately, but it also reflects the increased attack surface of the Microsoft ecosystem.
Of the total vulnerabilities fixed, 59 are classified as Critical. Within that group, 48 are Remote Code Execution, meaning an attacker can execute code remotely without physical access to the system. Nine are Elevation of Privilege, and two cover a security bypass and a spoofing vulnerability respectively.
The two most urgent vulnerabilities are CVE-2026-56164 in Microsoft SharePoint Server and CVE-2026-56155 in Active Directory Federation Services. Both are zero-days that were already being actively exploited by attackers at the time of publication. CISA has added them to the official Known Exploited Vulnerabilities catalogue and issued strict patch deadlines to federal organisations.
CVE-2026-56164 is an Elevation of Privilege vulnerability in SharePoint Server. What makes this flaw extremely dangerous is the combination of factors: an attacker requires no existing authentication, the attack is carried out entirely over the network, and the attack complexity is low. In practice, anyone who can reach your SharePoint environment via the internet can attempt to exploit this vulnerability without needing an account. The CVSS score of 5.3 understates the real threat; the active exploitation and the absence of an authentication requirement make this a top priority.
CVE-2026-56155 affects Active Directory Federation Services and allows an attacker to escalate their local privileges to administrator level. The CVSS score is 7.8 and the vulnerability was discovered by the Microsoft Detection and Response Team, meaning Microsoft has observed it in active attacks. For many organisations, AD FS is the bridge between on-premises Active Directory and cloud applications such as Microsoft 365. A compromised AD FS system can provide broad access to connected services.
The third zero-day, CVE-2026-50661, is a protection mechanism bypass in Windows BitLocker. An attacker with physical access to the device can circumvent BitLocker encryption and access protected data without going through the normal recovery key process. Microsoft confirms this vulnerability is not yet being actively exploited, but the threat is real for lost or stolen business laptops.
For organisations that rely on BitLocker as the primary encryption solution for mobile workstations, this is an additional reason to deploy the update quickly. The patch changes the underlying protection mechanism so that the bypass method no longer works. Adding a TPM PIN requirement remains a useful defence-in-depth layer alongside the patch.
SharePoint Server on-premises is exposed to the internet by many organisations, either directly or via a reverse proxy. The vulnerability CVE-2026-56164 requires no authentication and has low attack complexity. This makes it an ideal target for automated scanning tools that are already actively looking for vulnerable versions and attempting exploitation.
The deadline CISA set for federal agencies on CVE-2026-56164 is 17 July 2026, which is today. For non-federal organisations this deadline carries no legal weight, but the signal is clear: urgency is at its maximum. SharePoint environments that are exposed to the internet should be assessed today. If patching today is not feasible, consider temporarily blocking or restricting internet access to SharePoint to trusted IP ranges until the patch can be applied.
Organisations that exclusively use SharePoint Online via Microsoft 365 are not vulnerable to CVE-2026-56164. This vulnerability applies only to on-premises SharePoint Server installations.
For CVE-2026-56155 in AD FS, CISA has set a deadline of 28 July 2026. That allows slightly more time, but the severity of a compromised AD FS system calls for prompt action. AD FS servers are typically protected behind a Web Application Proxy and are less directly internet-facing than SharePoint, but the vulnerability only requires local access, making it reachable via an already-compromised system on the same network.
Organisations that have migrated AD FS to Entra ID federation, or that have moved entirely to Entra ID and no longer run on-premises AD FS, do not need to patch CVE-2026-56155. For organisations still operating in hybrid mode with AD FS as their federation server, patching is the only structural solution.
Security updates for Windows components are distributed through the usual channels. For organisations using Windows Update for Business or Intune Endpoint Security Update Rings, the update is available as soon as Microsoft releases it. In Intune, synchronise the update ring and set a deadline date for forced installation.
For SCCM environments, run a manual synchronisation of the Software Updates catalogue, select the relevant Patch Tuesday updates, and create a deployment package. Make sure the Critical classification is included in your deployment criteria filters so that the 59 critical updates are prioritised in your rollout.
The SharePoint Server patch is a separate installation package deployed independently from the Windows Update infrastructure. Administrators managing on-premises SharePoint Server must manually download the patch from the Microsoft Update Catalog or the SharePoint Cumulative Update page and install it on all servers in the SharePoint farm. After installation, an IIS reset and restart of the SharePoint Timer Service are required.
For AD FS servers, a Windows Server update is available for distribution via SCCM or Intune. AD FS servers are typically excluded from automatic updates due to their critical role; make an exception for this patch and schedule installation within a controlled maintenance window in the near term.
Five actions IT teams should take in the next 48 hours. First: inventory which on-premises systems are affected. On-premises SharePoint Server, AD FS servers, and Windows endpoints are the priorities. Second: patch SharePoint Server today if the environment is internet-exposed, or temporarily restrict access. Third: schedule the AD FS maintenance window for no later than 25 July to stay comfortably ahead of the deadline. Fourth: verify via Intune or SCCM that the Windows updates covering the 59 critical vulnerabilities are being rolled out to all endpoints. Fifth: check that BitLocker policies and TPM PIN requirements are correctly configured for mobile workstations as an additional layer alongside the patch.
The scale of this Patch Tuesday is exceptional, but the approach is the same as always: prioritise by severity and exploitation status, ensure a manageable rollout via your existing tooling, and document what you applied and when. Do you need support setting up a structured patch policy, managing SharePoint or AD FS in your environment, or configuring Intune for automated update deployment? Contact Zarioh for a no-obligation conversation.
Zarioh Digital Solutions
IT specialists from Utrecht, the Netherlands. We help businesses with Microsoft 365, AI agents, hosting and telephony — and share what we learn in practice. Follow us on LinkedIn

Security

Security

Security